From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Michal Hocko <mhocko@suse.cz>
Cc: Tejun Heo <tj@kernel.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
cgroups@vger.kernel.org, Johannes Weiner <hannes@cmpxchg.org>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Andrew Morton <akpm@linux-foundation.org>,
Anton Vorontsov <anton.vorontsov@linaro.org>
Subject: Re: [PATCH 1/3] memcg: limit the number of thresholds per-memcg
Date: Thu, 8 Aug 2013 01:05:13 +0300 [thread overview]
Message-ID: <20130807220513.GA8068@shutemov.name> (raw)
In-Reply-To: <20130807143727.GA13279@dhcp22.suse.cz>
On Wed, Aug 07, 2013 at 04:37:27PM +0200, Michal Hocko wrote:
> On Wed 07-08-13 09:58:18, Tejun Heo wrote:
> > Hello,
> >
> > On Wed, Aug 07, 2013 at 03:46:54PM +0200, Michal Hocko wrote:
> > > OK, I have obviously misunderstood your concern mentioned in the other
> > > email. Could you be more specific what is the DoS scenario which was
> > > your concern, then?
> >
> > So, let's say the file is write-accessible to !priv user which is
> > under reasonable resource limits. Normally this shouldn't affect priv
> > system tools which are monitoring the same event as it shouldn't be
> > able to deplete resources as long as the resource control mechanisms
> > are configured and functioning properly; however, the memory usage
> > event puts all event listeners into a single contiguous table which a
> > !priv user can easily expand to a size where the table can no longer
> > be enlarged and if a priv system tool or another user tries to
> > register event afterwards, it'll fail. IOW, it creates a shared
> > resource which isn't properly provisioned and can be trivially filled
> > up making it an easy DoS target.
>
> OK, got your point. You are right and I haven't considered the size of
> the table and the size restrictions of kmalloc. Thanks for pointing this
> out!
> ---
> From cde8a3333296eddd288780e78803610127401b6a Mon Sep 17 00:00:00 2001
> From: Michal Hocko <mhocko@suse.cz>
> Date: Wed, 7 Aug 2013 11:11:22 +0200
> Subject: [PATCH] memcg: limit the number of thresholds per-memcg
>
> There is no limit for the maximum number of threshold events registered
> per memcg. It is even worse that all the events are stored in a
> per-memcg table which is enlarged when a new event is registered. This
> can lead to the following issue mentioned by Tejun:
> "
> So, let's say the file is write-accessible to !priv user which is
> under reasonable resource limits. Normally this shouldn't affect priv
> system tools which are monitoring the same event as it shouldn't be
> able to deplete resources as long as the resource control mechanisms
> are configured and functioning properly; however, the memory usage
> event puts all event listeners into a single contiguous table which a
> !priv user can easily expand to a size where the table can no longer
> be enlarged and if a priv system tool or another user tries to
> register event afterwards, it'll fail. IOW, it creates a shared
> resource which isn't properly provisioned and can be trivially filled
> up making it an easy DoS target.
> "
>
> Let's be more strict and cap the number of events that might be
> registered. MAX_THRESHOLD_EVENTS value is more or less random. The
> expectation is that it should be high enough to cover reasonable
> usecases while not too high to allow excessive resources consumption.
> 1024 events consume something like 16KB which shouldn't be a big deal
> and it should be good enough.
Is it correct that you fix one local DoS by introducing a new one?
With the page the !priv user can block root from registering a threshold.
Is it really the way we want to fix it?
--
Kirill A. Shutemov
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2013-08-07 22:04 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-07 11:28 [PATCH 1/3] memcg: limit the number of thresholds per-memcg Michal Hocko
2013-08-07 11:28 ` [PATCH 2/3] memcg: Limit the number of events registered on oom_control Michal Hocko
2013-08-07 13:08 ` Tejun Heo
2013-08-07 13:11 ` Tejun Heo
2013-08-07 13:37 ` Michal Hocko
2013-08-07 13:47 ` Tejun Heo
2013-08-07 13:57 ` Michal Hocko
2013-08-07 14:01 ` Tejun Heo
2013-08-07 14:47 ` Michal Hocko
2013-08-07 17:30 ` Michal Hocko
2013-08-09 0:46 ` Tejun Heo
2013-08-07 11:28 ` [PATCH 3/3] vmpressure: limit the number of registered events Michal Hocko
2013-08-07 13:22 ` [PATCH 1/3] memcg: limit the number of thresholds per-memcg Tejun Heo
2013-08-07 13:46 ` Michal Hocko
2013-08-07 13:58 ` Tejun Heo
2013-08-07 14:37 ` Michal Hocko
2013-08-07 22:05 ` Kirill A. Shutemov [this message]
2013-08-08 14:43 ` Michal Hocko
2013-08-09 0:50 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130807220513.GA8068@shutemov.name \
--to=kirill@shutemov.name \
--cc=akpm@linux-foundation.org \
--cc=anton.vorontsov@linaro.org \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.cz \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).